Using multicasting to provide ethernet-like communication behavior to selected peers on a network

ABSTRACT

Methods and systems consistent with the present invention provide a Supernet, a private network constructed out of components from a public-network infrastructure. Supernet nodes can be located on virtually any device in the public network (e.g., the Internet), and both their communication and utilization of resources occur in a secure manner. The Supernet also uses multicast communication to create Ethernet-like communication between its nodes. In using multicasting, each communication of each node on a channel in the private network is sent to a multicast address which sends it to all of the nodes on the channel. Sending a copy of every communication to all of the other nodes on the channel makes system tasks, like debugging, easy for the nodes on the channel. The multicasting provided by the private network is dynamic in that multicast addresses can be assigned for use by a channel and reclaimed so as to allow sharing of the multicast addresses.

RELATED APPLICATIONS

The following identified U.S. patent applications are relied upon andare incorporated by reference in this application.

U.S. patent application Ser. No. 09/458,043, entitled “SYSTEM AND METHODFOR SEPARATING ADDRESSES FROM THE DELIVERY SCHEME IN A VIRTUAL PRIVATENETWORK,” and filed on the same date herewith.

-   -   U.S. patent application Ser. No. 09/457,917, entitled “TRULY        ANONYMOUS COMMUNICATIONS USING SUPERNETS WITH THE PROVISION OF        TOPOLOGY HIDING,” and filed on the same date herewith.    -   U.S. patent application Ser. No. 09/457,889, entitled “METHOD        AND SYSTEM FOR FACILITATING RELOCATION OF DEVICES ON A NETWORK,”        and filed on the same date herewith.    -   U.S. patent application Ser. No. 09/457,916, entitled        “SANDBOXING APPLICATIONS IN A PRIVATE NETWORK USING A        PUBLIC-NETWORK INFRASTRUCTURE,” and filed on the same date        herewith.    -   U.S. patent application Ser. No. 09/457,894, entitled “SECURE        ADDRESS RESOLUTION FOR A PRIVATE NETWORK USING A PUBLIC NETWORK        INFRASTRUCTURE,” and filed on the same date herewith.    -   U.S. patent application Ser. No. 09/458,020, entitled        “DECOUPLING ACCESS CONTROL FROM KEY MANAGEMENT IN A NETWORK,”        and filed on the same date herewith.    -   U.S. patent application Ser. No. 09/457,895, entitled        “CHANNEL-SPECIFIC FILE SYSTEM VIEWS IN A PRIVATE NETWORK USING A        PUBLIC NETWORK INFRASTRUCTURE,” and filed on the same date        herewith.    -   U.S. patent application Ser. No. 09/458,020, entitled “PRIVATE        NETWORK USING A PUBLIC-NETWORK INFRASTRUCTURE,” and filed on the        same date herewith.    -   U.S. patent application Ser. No. 09/457,914, entitled “SYSTEM        AND METHOD FOR ENABLING SCALABLE SECURITY IN A VIRTUAL PRIVATE        NETWORK,” and filed on the same date herewith.    -   U.S. patent application Ser. No. 09/457,896, entitled        “ANYCASTING IN A PRIVATE NETWORK USING A PUBLIC NETWORK        INFRASTRUCTURE,” and filed on the same date herewith.    -   U.S. patent application Ser. No. 09/458,021, entitled “SCALABLE        SECURITY ASSOCIATIONS FOR GROUPS FOR USE IN A PRIVATE NETWORK        USING A PUBLIC-NETWORK INFRASTRUCTURE,” and filed on the same        date herewith.    -   U.S. patent application Ser. No. 09/458,044, entitled “ENABLING        SIMULTANEOUS PROVISION OF INFRASTRUCTURE SERVICES,” and filed on        the same date herewith.

FIELD OF THE INVENTION

The present invention relates generally to data processing systems and,more particularly, to a private network using a public-networkinfrastructure.

BACKGROUND OF THE INVENTION

As part of their day-to-day business, many organizations require anenterprise network, a private network with lease lines, dedicatedchannels, and network connectivity devices, such as routers, switches,and bridges. These components, collectively known as the network's“infrastructure,” are very expensive and require a staff of informationtechnology personnel to maintain them. This maintenance requirement isburdensome on many organizations whose main business is not related tothe data processing industry (e.g., a clothing manufacturer) becausethey are not well suited to handle such data processing needs.

Another drawback to enterprise networks is that they are geographicallyrestrictive. The term “geographically restrictive” refers to therequirement that if a user is not physically located such that they canplug their device directly into the enterprise network, the user cannottypically utilize it. To alleviate the problem of geographicrestrictiveness, virtual private networks have been developed.

In a virtual private network (VPN), a remote device or network connectedto the Internet may connect to the enterprise network through afirewall. This allows the remote device to access resources on theenterprise network even though it may not be located near any componentof the enterprise network. For example, FIG. 1 depicts a VPN 100, whereenterprise network 102 is connected to the Internet 104 via firewall106. By using VPN 100, a remote device D₁ 108 may communicate withenterprise network 102 via Internet 104 and firewall 106. Thus, D₁ 108may be plugged into an Internet portal virtually anywhere within theworld and make use of the resources on enterprise network 102.

To perform this functionality, D₁ 108 utilizes a technique known astunneling to ensure that the communication between itself and enterprisenetwork 102 is secure in that it cannot be viewed by an interloper.“Tunneling” refers to encapsulating one packet inside another whenpackets are transferred between end points (e.g., D₁ 108 and VPNsoftware 109 running on firewall 106). The packets may be encrypted attheir origin and decrypted at their destination. For example, FIG. 2Adepicts a packet 200 with a source Internet protocol (IP) address 202, adestination IP address 204, and data 206. It should be appreciated thatpacket 200 contains other information not depicted, such as the sourceand destination port. As shown in FIG. 2B, the tunneling technique formsa new packet 208 out of packet 200 by encrypting it and adding both anew source IP address 210 and a new destination IP address 212. In thismanner, the contents of the original packet (i.e., 202, 204, and 206)are not visible to any entity other than the destination. Referring backto FIG. 1, by using tunneling, remote device D₁ 108 may communicate andutilize the resources of the enterprise network 102 in a secure manner.

Although VPNs alleviate the problem of geographic restrictiveness, theyimpose significant processing overhead when two remote devicescommunicate. For example, if remote device D₁ 108 wants to communicatewith remote device D₂ 110, D₁ sends a packet using tunneling to VPNsoftware 109, where the packet is decrypted and then transferred to theenterprise network 102. Then, the enterprise network 102 sends thepacket to VPN software 109, where it is encrypted again and transferredto D₂. Given this processing overhead, it is burdensome for two remotedevices to communicate in a VPN environment. It is therefore desirableto alleviate the need of organizations to maintain their own networkinfrastructure as well as to improve communication between remotedevices.

SUMMARY OF THE INVENTION

Methods and systems consistent with the present invention provide aprivate network that uses components from a public-networkinfrastructure. Nodes of the private network can be located on virtuallyany device in the public network (e.g., the Internet), and both theircommunication and utilization of resources occur in a secure manner. Asa result, the users of this private network benefit from their networkinfrastructure being maintained for them as part of the public-networkinfrastructure, while the level of security they receive is similar toor even stronger than that provided by conventional private networks.Additionally, the nodes of the private network are not geographicallyrestricted in that they can be connected to the private network fromvirtually any portal to the Internet in the world.

This private network uses multicast communication to createEthernet-like communication between its nodes. In using multicasting,each communication of each node on a channel in the private network issent to a multicast address which sends it to all of the nodes on thechannel. By sending a copy of every communication to all of the othernodes on the channel, the private network makes it appear as though thenodes are directly connected. This makes system tasks, like debugging,easy for the nodes of the private network. The multicasting provided bythe private network is dynamic in that multicast addresses can beassigned for use by a channel and reclaimed so as to allow for thesharing of the multicast addresses. This dynamic use of multicastaddresses allows the multicast addresses to be used efficiently.

In accordance with an implementation consistent with the presentinvention, a method is provided in a distributed system having a publicnetwork infrastructure. A private network with a plurality of nodes isestablished a over the public network infrastructure, and a multicastcommunication is sent to the nodes on the private network.

In another implementation, a device is connected to a distributed systemcomprising a private network with a plurality of nodes on devices, theprivate network using a public network infrastructure. A first of thedevices has a memory that contains an address manager that assigns amulticast address with an expiration time to the plurality of nodes andthat deassigns the multicast address such that the multicast address isrendered unavailable to the plurality of nodes when the expiration timeexpires. The first device also has a processor that runs the addressmanager. A second device has a memory with a sending node that requestsfrom the address manager an address for a destination one of theplurality of nodes, that receives from the address manager the multicastaddress, and that sends a packet to the multicast address such that theplurality of nodes receives the packet. The second device also has aprocessor that runs the sending node.

BRIEF DESCRIPTION OF THE DRAWINGS

This invention is pointed out with particularity in the appended claims.The above and further advantages of this invention may be betterunderstood by referring to the following description taken inconjunction with the accompanying drawings, in which:

FIG. 1 depicts a conventional virtual private network (VPN) system;

FIG. 2A depicts a conventional network packet;

FIG. 2B depicts the packet of FIG. 2A after it has been encrypted inaccordance with a conventional tunneling technique;

FIG. 3 depicts a data processing system suitable for use with methodsand systems consistent with the present invention;

FIG. 4 depicts the nodes depicted in FIG. 3 communicating over multiplechannels;

FIG. 5 depicts two devices depicted in FIG. 3 in greater detail;

FIGS. 6A and 6B depict a flow chart of the steps performed when a nodejoins a VPN in a manner consistent with the present invention;

FIG. 7 depicts a flow chart of the steps performed when sending a packetfrom a node of the VPN in a manner consistent with the presentinvention;

FIG. 8 depicts a flow chart of the steps performed when receiving apacket by a node of the VPN in a manner consistent with the presentinvention;

FIG. 9 depicts a flow chart of the steps performed when logging out of aVPN in a manner consistent with the present invention;

FIG. 10 depicts a flow chart of the steps performed when multicasting ona channel in the VPN in a manner consistent with the present invention;and

FIG. 11A and 11B depict how multicast addresses can be dynamicallyallocated in the VPN in a manner consistent with the present invention.

DETAILED DESCRIPTION

Methods and systems consistent with the present invention provide a“Supernet,” which is a private network that uses components from apublic-network infrastructure. A Supernet allows an organization toutilize a public-network infrastructure for its enterprise network sothat the organization no longer has to maintain a private networkinfrastructure; instead, the organization may have the infrastructuremaintained for them by one or more service providers or otherorganizations that specialize in such connectivity matters. As such, theburden of maintaining an enterprise network is greatly reduced.Moreover, a Supernet is not geographically restrictive, so a user mayplug their device into the Internet from virtually any portal in theworld and still be able to use the resources of their private network ina secure and robust manner.

The Supernet uses multicast communication to create Ethernet-likecommunication between its nodes. In using multicasting, eachcommunication of each node on a channel in the private network is sentto a multicast address which sends it to all of the nodes on thechannel. By sending a copy of every communication to all of the othernodes on the channel, the private network makes it appear as though thenodes are directly connected. This makes system tasks, like debugging,easy for the nodes of the private network. The multicasting provided bythe private network is dynamic in that multicast addresses can beassigned for use by a channel and reclaimed so as to allow for thesharing of the multicast addresses. This dynamic use of multicastaddresses allows the multicast addresses to be used efficiently.

Overview

FIG. 3 depicts a data processing system 300 suitable for use withmethods and systems consistent with the present invention. Dataprocessing system 300 comprises a number of devices, such as computers302-312, connected to a public network, such as the Internet 314. ASupernet's infrastructure uses components from the Internet becausedevices 302, 304, and 312 contain nodes that together form a Supernetand that communicate by using the infrastructure of the Internet. Thesenodes 316, 318, 320, and 322 are communicative entities (e.g.,processes) running within a particular device and are able tocommunicate among themselves as well as access the resources of theSupernet in a secure manner. When communicating among themselves, thenodes 316, 318, 320, and 322 serve as end points for the communications,and no other processes or devices that are not part of the Supernet areable to communicate with the Supernet's nodes or utilize the Supernet'sresources. The Supernet also includes an administrative node 306 toadminister to the needs of the Supernet.

It should be noted that since the nodes of the Supernet rely on theInternet for connectivity, if the device on which a node is runningrelocates to another geographic location, the device can be plugged intoan Internet portal and the node running on that device can quicklyresume the use of the resources of the Supernet. It should also be notedthat since a Supernet is layered on top of an existing network, itoperates independently of the transport layer. Thus, the nodes of aSupernet may communicate over different transports, such as IP, IPX,X.25, or ATM, as well as different physical layers, such as RFcommunication, cellular communication, satellite links, or land-basedlinks.

As shown in FIG. 4, a Supernet includes a number of channels that itsnodes 316-322 can communicate over. A “channel” refers to a collectionof virtual links through the public-network infrastructure that connectthe nodes on the channel such that only these nodes can communicate overit. A node on a channel may send a message to another node on thatchannel, known as a unicast message, or it can send a message to allother nodes on that channel, known as a multicast message. For example,channel 1 402 connects node A 316 and node C 320, and channel 2 404connects node B 318, node C 320, and node D 322. Each Supernet has anynumber of preconfigured channels over which the nodes on that channelcan communicate. In an alternative embodiment, the channels aredynamically defined.

In addition to communication, the channels may be used to shareresources. For example, channel 1 402 may be configured to share a filesystem as part of node C 320 such that node A 316 can utilize the filesystem of node C in a secure manner. In this case, node C 320 serves asa file system manager by receiving file system requests (e.g., open,close, read, write, etc.) and by satisfying the requests by manipulatinga portion of the secondary storage on its local machine. To maintainsecurity, node C 320 stores the data in an encrypted form so that it isunreadable by others. Such security is important because the secondarystorage may not be under the control of the owners of the Supernet, butmay instead be leased from a service provider. Additionally, channel 2404 may be configured to share the computing resources of node D 322such that nodes B 318 and C 320 send code to node D for execution. Byusing channels in this manner, resources on a public network can beshared in a secure manner.

A Supernet provides a number of features to ensure secure and robustcommunication among its nodes. First, the system provides authenticationand admission control so that nodes become members of the Supernet understrict control to prevent unauthorized access. Second, the Supernetprovides communication security services so that the sender of a messageis authenticated and communication between end points occurs in a securemanner by using encryption. Third, the system provides key management toreduce the possibility of an intruder obtaining an encryption key andpenetrating a secure communication session. The system does so byproviding one key per channel and by changing the key for a channelwhenever a node joins or leaves the channel. Alternatively, the systemmay use a different security policy.

Fourth, the system provides address translation in a transparent manner.Since the Supernet is a private network constructed from theinfrastructure of another network, the Supernet has its own internaladdressing scheme, separate from the addressing scheme of the underlyingpublic network. Thus, when a packet from a Supernet node is sent toanother Supernet node, it travels through the public network. To do so,the Supernet performs address translation from the internal addressingscheme to the public addressing scheme and vice versa. To reduce thecomplexity of Supernet nodes, system-level components of the Supernetperform this translation on behalf of the individual nodes so that it istransparent to the nodes. Another benefit of the Supernet's addressingis that it uses an IP-based internal addressing scheme so thatpreexisting programs require little modification to run within aSupernet.

Fifth, the Supernet provides operating system-level enforcement of nodecompartmentalization in that an operating system-level component treatsa Supernet node running on a device differently than it treats otherprocesses on that device. This component (i.e., a security layer in aprotocol stack) recognizes that a Supernet node is part of a Supernet,and therefore, it enforces that all communications to and from this nodetravel through the security infrastructure of the Supernet such thatthis node can communicate with other members of the Supernet and thatnon-members of the Supernet cannot access this node. Additionally, thisoperating system-level enforcement of node compartmentalization allowsmore than one Supernet node to run on the same machine, regardless ofwhether the nodes are from the same Supernet, and allows nodes of othernetworks to run on the same machine as a Supernet node.

Finally, the Supernet provides Ethernet-like communication between nodesby using multicasting. Internet convention sets aside a range ofInternet Protocol (IP) addresses that are designated as multicastaddresses. In conventional networks, a user or group of users wishing toestablish a multicast group obtain a multicast address from the InternetAssigned Numbers Authority (IANA). Each time a message is sent to thismulticast address, the Internet routing tables direct a copy of themessage to every user or node in the multicast group. The Supernet takesadvantage of multicasting to make it appear as if the nodes are directlyconnected. This makes system tasks, like debugging, easy for members ofthe Supernet. Additionally, the multicast addresses can be dynamicallyassigned to channels and reclaimed when not in use.

Implementation Details

FIG. 5 depicts administrative machine 306 and device 302 in greaterdetail, although the other devices 304 and 308-312 may contain similarcomponents. Device 302 and administrative machine 306 communicate viaInternet 314. Each device contains similar components, including amemory 502, 504; secondary storage 506, 508; a central processing unit(CPU) 510, 512; an input device 514, 516; and a video display 518, 520.One skilled in the art will appreciate that these devices may containadditional or different components.

Memory 504 of administrative machine 306 includes the SASD process 540,VARPD 548, and KMS 550 all running in user mode. That is, CPU 512 iscapable of running in at least two modes: user mode and kernel mode.When CPU 512 executes programs running in user mode, it prevents themfrom directly manipulating the hardware components, such as videodisplay 518. On the other hand, when CPU 512 executes programs runningin kernel mode, it allows them to manipulate the hardware components.Memory 504 also contains a VARPDB 551 and a TCP/IP protocol stack 552that are executed by CPU 512 running in kernel mode. TCP/IP protocolstack 552 contains a TCP/UDP layer 554 and an IP layer 556, both ofwhich are standard layers well known to those of ordinary skill in theart. Secondary storage 508 contains a configuration file 558 that storesvarious configuration-related information (described below) for use bySASD 540.

SASD 540 represents a Supernet: there is one instance of an SASD perSupernet, and it both authenticates nodes and authorizes nodes to jointhe Supernet. VARPD 548 has an associated component, VARPDB 551, intowhich it stores mappings of the internal Supernet addresses, known as anode IDs, to the network addresses recognized by the public-networkinfrastructure, known as the real addresses. The “node ID” may includethe following: a Supernet ID (e.g., 0x 123), reflecting a uniqueidentifier of the Supernet, and a virtual address, comprising an IPaddress (e.g., 10.0.0.1). The “real address” is an IP address (e.g.,10.0.0.2) that is globally unique and meaningful to the public-networkinfrastructure. In a Supernet, one VARPD runs on each machine, and itmay play two roles. First, a VARPD may act as a server by storing alladdress mappings for a particular Supernet into its associated VARPDB.Second, regardless of its role as a server or not, each VARPD assists inaddress translation for the nodes on its machine. In this role, theVARPD stores into its associated VARPDB the address mappings for itsnodes, and if it needs a mapping that it does not have, it will contactthe VARPD that acts as the server for the given Supernet to obtain it.

KMS 550 performs key management by generating a new key every time anode joins a channel and by generating a new key every time a nodeleaves a channel. There is one KMS per channel in a Supernet.

To configure a Supernet, a system administrator creates a configurationfile 558 that is used by SASD 540 when starting or reconfiguring aSupernet. This file may specify: (1) the Supernet name, (2) all of thechannels in the Supernet, (3) the nodes that communicate over eachchannel, (4) the address of the KMS for each channel, (5) the address ofthe VARPD that acts as the server for the Supernet, (6) the user IDs ofthe users who are authorized to create Supernet nodes, (7) theauthentication mechanism to use for each user of each channel, (8) theencryption algorithm to use for each channel, and (9) the multicastaddress associated with each channel. Although the configurationinformation is described as being stored in a configuration file, oneskilled in the art will appreciate that this information may beretrieved from other sources, such as databases or interactiveconfigurations.

After the configuration file is created, it is used to start a Supernet.For example, when starting a Supernet, the system administrator firststarts SASD, which reads the configuration information stored in theconfiguration file. Then, the administrator starts the VARPD on theadministrator's machine, indicating that it will act as the server forthe Supernet and also starts the KMS process. After this processing hascompleted, the Supernet is ready for nodes to join it.

Memory 502 of device 302 contains SNlogin script 522, SNlogout script524, VARPD 526, KMC 528, KMD 530, and node A 522, all running in usermode. Memory 502 also includes TCP/IP protocol stack 534 and VARPDB 536running in kernel mode.

SNlogin 522 is a script used for logging into a Supernet. Successfullyexecuting this script results in a Unix shell from which programs (e.g.,node A 522) can be started to run within the Supernet context, such thataddress translation and security encapsulation is performedtransparently for them and all they can typically access is other nodeson the Supernet. Alternatively, a parameter may be passed into SNlogin522 that indicates a particular process to be automatically run in aSupernet context. Once a program is running in a Supernet context, allprograms spawned by that program also run in the Supernet context,unless explicitly stated otherwise. SNlogout 524 is a script used forlogging out of a Supernet. Although both SNlogin 522 and SNlogout 524are described as being scripts, one skilled in the art will appreciatethat their processing may be performed by another form of software.VARPD 526 performs address translation between node IDs and realaddresses. KMC 528 is the key management component for each node thatreceives updates whenever the key for a channel (“the channel key”)changes. There is one KMC per node per channel. KMD 530 receivesrequests from SNSL 542 of the TCP/IP protocol stack 534 when a packet isreceived and accesses the appropriate KMC for the destination node toretrieve the appropriate key to decrypt the packet. Node A 532 is aSupernet node running in a Supernet context.

TCP/IP protocol stack 534 contains a standard TCP/UDP layer 538, twostandard IP layers (an inner IP layer 540 and an outer IP layer 544),and a Supernet security layer (SNSL) 542, acting as the conduit for allSupernet communications. To conserve memory, both inner IP layer 540 andouter IP layer 544 may share the same instance of the code of an IPlayer. SNSL 542 performs security functionality as well as addresstranslation. It also caches the most recently used channel keys for tenseconds. Thus, when a channel key is needed, SNSL 542 checks its cachefirst, and if it is not found, it requests KMD 530 to contact theappropriate KMC to retrieve the appropriate channel key. Two IP layers540, 544 are used in the TCP/IP protocol stack 534 because both theinternal addressing scheme and the external addressing scheme areIP-based. Thus, for example, when a packet is sent, inner IP layer 540receives the packet from TCP/UDP layer 538 and processes the packet withits node ID address before passing it to the SNSL layer 542, whichencrypts it, prepends the real source IP address and the realdestination IP address, and then passes the encrypted packet to outer IPlayer 544 for sending to the destination.

SNSL 542 utilizes VARPDB 536 to perform address translation. VARPDBstores all of the address mappings encountered thus far by SNSL 542,including the multicast address mapping for each channel. If SNSL 542requests a mapping that VARPDB 536 does not have, VARPDB communicateswith the VARPD 526 on the local machine to obtain the mapping. VARPD 526will then contact the VARPD that acts as the server for this particularSupernet to obtain it.

Although aspects of the present invention are described as being storedin memory, one skilled in the art will appreciate that these aspects canalso be stored on or read from other types of computer-readable media,such as secondary storage devices, like hard disks, floppy disks, orCD-ROM; a carrier wave from a network, such as the Internet; or otherforms of RAM or ROM either currently known or later developed.Additionally, although a number of the software components are describedas being located on the same machine, one skilled in the art willappreciate that these components may be distributed over a number ofmachines.

FIGS. 6A and 6B depict a flow chart of the steps performed when a nodejoins a Supernet. The first step performed is that the user invokes theSNlogin script and enters the Supernet name, their user ID, theirpassword, and a requested virtual address (step 602). Of course, thisinformation depends on the particular authentication mechanism used.Upon receiving this information, the SNlogin script performs ahandshaking with SASD to authenticate this information. In this step,the user may request a particular virtual address to be used, oralternatively, the SASD may select one for them. Next, if any of theinformation in step 602 is not validated by SASD (step 604), processingends. Otherwise, upon successful authentication, SASD creates an addressmapping between a node ID and the real address (step 606). In this step,SASD concatenates the Supernet ID with the virtual address to create thenode ID, obtains the real address of the SNlogin script by queryingnetwork services in a well-known manner, and then registers thisinformation with the VARPD that acts as the server for this Supernet.This VARPD is identified in the configuration file. Before accepting theaddress mapping, the VARPD server authenticates the SASD using any of anumber of well-known authentication techniques, including DigitalSignatures and Kerberos. In this manner, the system ensures that ahacker is not inserting a bogus mapping to violate the integrity of thesystem.

After creating the address mapping, SASD informs the KMS that there is anew Supernet member that has been authenticated and admitted (step 608).In this step, SASD sends the node ID and the real address to KMS whothen generates a key ID, a key for use in communicating between thenode's KMC and the KMS (“a node key”), and updates the channel key foruse in encrypting traffic on this particular channel (step 610).Additionally, KMS sends the key ID and the node key to SASD anddistributes the channel key to all KMCs on the channel as a new keybecause a node has just been added to the channel. SASD receives the keyID and the node key from KMS and returns it to SNlogin (step 612). Afterreceiving the key ID and the node key from SASD, SNlogin starts a KMCfor this node and transmits to the KMC the node ID, the key ID, the nodekey, the address of the VARPD that acts as the server for this Supernet,and the address of KMS (step 614). The KMC then registers with the KMDindicating the node it is associated with, and KMC registers with KMSfor key updates (step 616). When registering with KMS, KMC provides itsaddress so that it can receive updates to the channel key via theVersakey protocol. The Versakey protocol is described in greater detailin IEEE Journal on Selected Areas in Communication, Vol. 17, No. 9,1999, pp. 1614-1631. After registration, the KMC will receive keyupdates whenever a channel key changes on one of the channels that thenode communicates over.

Next, SNlogin configures SNSL (step 618 in FIG. 6B). In this step,SNlogin indicates which encryption algorithm to use for this channel andwhich authentication algorithm to use, both of which are received fromthe configuration file via SASD. SNSL stores this information in anaccess control list. In accordance with methods and systems consistentwith present invention, any of a number of well-known encryptionalgorithms may be used, including the Data Encryption Standard (DES),Triple-DES, the International Data Encryption Algorithm (IDEA), and theAdvanced Encryption Standard (AES). Also, RC2, RC4, and RC5 from RSAIncorporated may be used as well as Blowfish from Counterpane.com.Additionally, in accordance with methods and systems consistent with thepresent invention, any of a number of well-known authenticationalgorithms may be used, including Digital Signatures, Kerberos, SecureSocket Layer (SSL), and MD5, which is described in RFC1321 of theInternet Engineering Task Force, April, 1992.

After configuring SNSL, SNlogin invokes an operating system call,SETVIN, to cause the SNlogin script to run in a Supernet context (step620). In Unix, each process has a data structure known as the “procstructure” that contains the process ID as well as a pointer to avirtual memory description of this process. In accordance with methodsand systems consistent with the present invention, the channel IDsindicating the channels over which the process communicates as well asits virtual address for this process are added to this structure. Byassociating this information with the process, the SNSL layer canenforce that this process runs in a Supernet context. Although methodsand systems consistent with the present invention are described asoperating in a Unix environment, one skilled in the art will appreciatethat such methods and systems can operate in other environments. Afterthe SNlogin script runs in the Supernet context, the SNlogin scriptspawns a Unix program, such as a Unix shell or a service daemon (step622). In this step, the SNlogin script spawns a Unix shell from whichprograms can be run by the user. All of these programs will thus run inthe Supernet context until the user runs the SNlogout script.

FIG. 7 depicts a flow chart of the steps performed when sending a packetfrom node A. Although the steps of the flow chart are described in aparticular order, one skilled in the art will appreciate that thesesteps may be performed in a different order. Additionally, although theSNSL layer is described as performing both authentication andencryption, this processing is policy driven such that eitherauthentication, encryption, both, or neither may be performed. The firststep performed is for the SNSL layer to receive a packet originatingfrom node A via the TCP/UDP layer and the inner IP layer (step 702). Thepacket contains a source node ID, a destination node ID, and data. TheSNSL layer then accesses the VARPDB to obtain the address mappingbetween the source node ID and the source real address as well as thedestination node ID and the destination real address (step 704). If theyare not contained in the VARPDB because this is the first time a packethas been sent from this node or sent to this destination, the VARPDBaccesses the local VARPD to obtain the mapping. When contacted, theVARPD on the local machine contacts the VARPD that acts as the serverfor the Supernet to obtain the appropriate address mapping.

After obtaining the address mapping, the SNSL layer determines whetherit has been configured to communicate over the appropriate channel forthis packet (step 706). This configuration occurs when SNlogin runs, andif the SNSL has not been so configured, processing ends. Otherwise, SNSLobtains the channel key to be used for this channel (step 708). The SNSLmaintains a local cache of keys and an indication of the channel towhich each key is associated. Each channel key is time stamped to expirein ten seconds, although this time is configurable by the administrator.If there is a key located in the cache for this channel, SNSL obtainsthe key. Otherwise, SNSL accesses KMD which then locates the appropriatechannel key from the appropriate KMC. After obtaining the key, the SNSLlayer encrypts the packet using the appropriate encryption algorithm andthe key previously obtained (step 710). When encrypting the packet, thesource node ID, the destination node ID, and the data may be encrypted,but the source and destination real addresses are not, so that the realaddresses can be used by the public network infrastructure to send thepacket to its destination.

After encrypting the packet, the SNSL layer authenticates the sender toverify that it is the bona fide sender and that the packet was notmodified in transit (step 712). In this step, the SNSL layer uses theMD5 authentication protocol, although one skilled in the art willappreciate that other authentication protocols may be used. Next, theSNSL layer passes the packet to the IP layer where it is then sent tothe destination node in accordance with known techniques associated withthe IP protocol (step 714).

FIG. 8 depicts a flow chart of the steps performed by the SNSL layerwhen it receives a packet. Although the steps of the flow chart aredescribed in a particular order, one skilled in the art will appreciatethat these steps may be performed in a different order. Additionally,although the SNSL layer is described as performing both authenticationand encryption, this processing is policy driven such that eitherauthentication, encryption, both, or neither may be performed. The firststep performed by the SNSL layer is to receive a packet from the network(step 801). This packet contains a real source address and a realdestination address that are not encrypted as well as a source node ID,a destination node ID, and data that are encrypted. Then, it determineswhether it has been configured to communicate on this channel to thedestination node (step 802). If SNSL has not been so configured,processing ends. Otherwise, the SNSL layer obtains the appropriate keyas previously described (step 804). It then decrypts the packet usingthis key and the appropriate encryption algorithm (step 806). Afterdecrypting the packet, the SNSL layer authenticates the sender andvalidates the integrity of the packet (step 808), and then it passes thepacket to the inner IP layer for delivery to the appropriate node (step810). Upon receiving the packet, the inner IP layer uses the destinationnode ID to deliver the packet.

FIG. 9 depicts a flow chart of the steps performed when logging a nodeout of a Supernet. The first step performed is for the user to run theSNlogout script and to enter a node ID (step 902). Next, the SNlogoutscript requests a log out from SASD (step 904). Upon receiving thisrequest, SASD removes the mapping for this node from the VARPD that actsas the server for the Supernet (step 906). SASD then informs KMS tocancel the registration of the node, and KMS terminates this KMC (step908). Lastly, KMS generates a new channel key for the channels on whichthe node was communicating (step 910) to provide greater security.

FIG. 10 depicts a flow chart of the steps performed when multicasting ona channel in the Supernet. When establishing or reconfiguring theSupernet, the system administrator stores a multicast address for eachchannel in the configuration file (step 1000). When the SASD is started,it reads the multicast addresses from the configuration file (step1002). The SASD passes an address to the VARPD server for the channel(step 1004). The VARPD server inserts into the VARPDB the multicastaddress as the real address in the mapping for every node on the channel(step 1006). Next, one of the nodes on the channel sends a packet to adestination node by passing it to the protocol stack (step 1008). Inthis step, the SNSL layer requests a mapping for the destination nodeand receives one that indicates the multicast address because thischannel uses multicast addressing. The SNSL layer then sends the packetto this multicast address which causes it to be delivered to all of thenodes on the channel.

Alternatively, FIGS. 11A and 11B depict how the multicast addresses canbe dynamically allocated. In this embodiment, the SASD maintains a listof available multicast addresses, and each address mapping for amulticast channel has an expiration time of 10 minutes, which isconfigurable. Initially, the VARPD server requests a multicast addressto use for its channel (step 1102). Responsive to this request, the SASDreturns a multicast address to the VARPD server (step 1104). Uponreceiving the multicast address, the VARPD server updates the addressmappings for each of the nodes on the channel to use this multicastaddress as its real address (step 1106). Next, the VARPD server detectsif the expiration time has expired (step 1108). If not, the VARPD servermay continue to use the multicast address. If it has expired, the VARPDserver overwrites the mappings for all nodes in the channel with null(step 1110) and indicates to the SASD that the multicast address isavailable for use by another channel (step 1112).

After relinquishing the multicast address, if one of the addressmappings on this channel is requested that has a null real address (step1114), the VARPD server will request a multicast address from the SASD(step 1116 in FIG. 11B). If an address is unavailable, the VARPD serverwill wait. Otherwise, if one is available, the VARPD server receives themulticast address from the SASD (step 1120), updates all of the mappingsfor the nodes on the channel with this address, and returns it to therequesting node (step 1122).

Although the present invention has been described with reference to apreferred embodiment, those skilled in the art will know of variouschanges in form and detail which may be made without departing from thespirit and scope of the present invention as defined in the appendedclaims and their full scope of equivalents.

1. A method in a data processing system for providing communication in anetwork with a plurality of channels, each of the channels with aplurality of nodes having an address stored in an address resolutioncomponent, the method comprising the steps of: assigning, by a securedaccess program, a multicast address to the plurality of nodes on one ofthe channels by transmitting the multicast address to the addressresolution component; authenticating, by the address resolutioncomponent, the secured access program; responsive to successfullyauthenticating the secured access program, updating, by the addressresolution component, the address of each node on the one channel toinclude the multicast address; sending a packet to the multicast addresssuch that only the plurality of nodes on the one channel receive thepacket; and deassigning the multicast address from the one channel suchthat the multicast address is rendered unavailable to the nodes on theone channel.
 2. The method of claim 1 wherein the assigning step furthercomprises reading the multicast address from a configuration file. 3.The method of claim 1 wherein the assigning step further comprises thestep of: designating an expiration time for the multicast address; andwherein the deassigning step further comprises the step of: determiningthat the expiration time has lapsed.
 4. The method of claim 1 whereinthe network is a private network running on a public networkinfrastructure.
 5. A method in a distributed system having a publicnetwork infrastructure, the method comprising the steps of: establishinga private network with a plurality of nodes over the public networkinfrastructure, wherein each node has an address stored in an addressresolution component in the private network; assigning, by a securedaccess program in the Private network, a multicast address to a channelcontaining fewer than all of the nodes on the private network bytransmitting the multicast address to the address resolution component;authenticating, by the address resolution component, the secured accessprogram; responsive to successfully authenticating the secured accessprogram, updating, by the address resolution component, an address ofeach node on the channel to include the multicast address; sending amulticast communication to the channel containing fewer than all of thenodes on the private network using the multicast address assigned to thechannel on the private network; and deassigning the multicast addressfrom the channel on the private network, thereby making the multicastaddress unavailable to the nodes in the channel on the private network.6. The method of claim 5 further including the step of: assigning themulticast address to another channel containing fewer than all of theplurality of nodes on the network.
 7. A distributed system comprising aprivate network with a plurality of nodes on devices, the privatenetwork using a public network infrastructure, comprising: a first ofthe devices comprising: a memory with a secured access program thatassigns a multicast address with an expiration time to a channelcontaining fewer than all of the plurality of nodes by transmitting themulticast address to an address manager, and that deassigns themulticast address such that the multicast address is renderedunavailable to the channel when the expiration time expires; and aprocessor that runs the secured access program; a second of the devicescomprising: a memory with an address manager that receives the multicastaddress, authenticates the secured access program, and updates anaddress of each node on the channel to include the multicast address;and a processor that runs the address manager; and a third devicecomprising: a memory with a sending one of the nodes on the channel thatrequests from the address manager an address for a destination one ofthe nodes on the channel, that receives from the address manager themulticast address, and that sends a packet to the multicast address suchthat only the plurality of nodes on the channel receives the packet; anda processor that runs the sending node.
 8. A method in a data processingsystem for providing communication in a network with a plurality ofchannels, each of the channels with a plurality of nodes, wherein eachnode has an address stored in an address resolution component, themethod comprising the steps of: assigning, by a secured access program,a multicast address to the plurality of nodes on one of the channels bytransmitting the multicast address to the address resolution component;authenticating the secured access program, by the address resolutioncomponent; responsive to successfully authenticating the secured accessprogram, updating the addresses in the address resolution component toinclude the multicast address for each of the plurality of nodes on theone channel by the address resolution component; attempting to send apacket from a sending one of the plurality of nodes on the one channelto a destination one of the plurality of nodes on the one channel bypassing the packet to a protocol stack; accessing the multicast addressin the address resolution component by the protocol stack; using themulticast address to transmit the packet to the plurality of nodes onthe one channel such that the packet is not transmitted to nodes in thenetwork that are not on the one channel; and deassigning the multicastaddress from the one channel by the address resolution component suchthat the multicast address is rendered unavailable to the plurality ofnodes on the one channel.
 9. The method of claim 8 wherein the assigningstep further comprises the step of: designating an expiration time forthe multicast address; and wherein the deassigning step furthercomprises the step of: determining that the expiration time has expired.10. The method of claim 8, wherein the method further includes the stepof: assigning the multicast address to the plurality of nodes on anotherone of the channels.
 11. A data processing system for providing adistributed system in a public network infrastructure, the dataprocessing system comprising: means for establishing a private networkwith a plurality of nodes over the public network infrastructure,wherein each node has an address stored in an address resolutioncomponent in the private network; means for assigning, by a securedaccess program in the private network, a multicast address to a channelcontaining fewer than all of the nodes on the private network bytransmitting the multicast address to the address resolution component;means for authenticating, by the address resolution component, thesecured access program; means for updating by the address resolutioncomponent, responsive to successfully authenticating the secured accessprogram, an address of each node on the channel to include the multicastaddress; means for sending a multicast communication to the channelcontaining fewer than all of the nodes on the private network using themulticast address assigned to the channel on the private network; andmeans for deassigning the multicast address from the channel on theprivate network, thereby making the multicast address unavailable to thenodes in the channel on the private network.
 12. A computer-readablemedium containing instructions for controlling a data processing systemto perform a method, the method in a distributed system having a publicnetwork infrastructure, the method comprising the steps of: establishinga private network with a plurality of nodes over the public networkinfrastructure, wherein each node has an address stored in an addressresolution component in the private network; assigning, by a securedaccess program in the private network, a multicast address to a channelcontaining fewer than all of the nodes on the private network bytransmitting the multicast address to the address resolution component,authenticating, by the address resolution component, the secured accessprogram; responsive to successfully authenticating the secured accessprogram, updating, by the address resolution component, an address ofeach node on the channel to include the multicast address; sending amulticast communication to the channel containing fewer than all of thenodes on the private network using the multicast address assigned to thechannel on the private network; and deassigning the multicast addressfrom the channel on the private network, thereby making the multicastaddress unavailable to the nodes in the channel on the private network.13. The computer-readable medium of claim 12, the method furtherincluding the step of: assigning the multicast address to anotherchannel containing fewer than all of nodes on the network.
 14. Acomputer-readable medium containing instructions for controlling a dataprocessing system to perform a method, the method in a data processingsystem for providing communication in a network with a plurality ofchannels, each of the channels with a plurality of nodes, wherein eachnode has an address stored in an address resolution component, themethod comprising the steps of: assigning, by a secured access program,a multicast address to the plurality of nodes on one of the channels bytransmitting the multicast address to the address resolution component;authenticating, by the address resolution component, the secured accessprogram; responsive to successfully authenticating the secured accessprogram, updating, by the address resolution component, the address ofeach node on the one channel to include the multicast address; sending apacket to the multicast address such that the plurality of nodes on theone channel receive the packet and nodes in the network that are not onthe one channel do not receive the packet; and deassigning the multicastaddress from the one channel such that the multicast address is renderedunavailable to the nodes on the one channel.
 15. The computer-readablemedium of claim 14 wherein the assigning step further comprises the stepof: reading the multicast address from a configuration file.
 16. Thecomputer-readable medium of claim 14 wherein the assigning step furthercomprises the step of: designating an expiration time for the multicastaddress; and wherein the deassigning step further comprises the step of:determining that the expiration time has lapsed.
 17. Thecomputer-readable medium of claim herein the network is a privatenetwork running on a public network infrastructure.